[Dshield] New virus/remake of Win32.Rightu.A

Ruigrok van der Werven, Jeroen Jeroen.Ruigrok at t-mobile.nl
Fri Oct 31 11:09:43 GMT 2003


we have a virus here which didn't get picked up by our McAfee virusscanner.

To those who want it, reply and I'll send you a copy.

What I discovered is that the executable has been packed with UPX or

Does anyone know of an unpacker which doesn't run the executable?

I've seen that it replaced netwatch.exe in C:\Windows with an UPX'd
executable and gets instantly started.  It is readily viewable in

The email it uses to spread itself with is:

Hello Dear!,

Finally i've found possibility to right u, my lovely girl :) All our photos
which i've made at the beach (even when u're without ur bh:)) photos are
great! This evening i'll come and we'll make the best SEX :)

Right now enjoy the photos.
Kiss, James.

It seems to be classified by some people as the Win21.Rightu.A virus,
could this be a new strain?  Given the fact that it has been known since
July/August this year.

Jeroen Ruigrok van der Werven <jeroen.ruigrok at t-mobile.nl>
Systeem Specialist Unix, T-Mobile Netherlands B.V., Postbus 16272
2500 BG Den Haag | Tel: +31 - (0)6 - 2409 6844 | Fax: +31 - (0)6 - 1409 5852
A sadder and a wiser man, he rose the morrow morn.

N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer 

This e-mail and its contents are subject to a DISCLAIMER with important
RESERVATIONS: see http://www.t-mobile.nl/disclaimer 

More information about the list mailing list